K
Kevin Watkins
Hi,
Hoping someone can help me. I have noticed different behaviour between
a website launched from Windows explorer and Internet Explorer. I have
set up a simple test application to demonstrate this problem:
1. Create a new ASP.NET application in VS.NET at
http://localhost/test.
2. Added a default form, Default.aspx, that has a simple button that
does the FormsAuthentication stuff:
<%@ Page language="c#" Codebehind="Default.aspx.cs"
AutoEventWireup="false" Inherits="LoginTest._Default" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>Default</title>
</HEAD>
<body>
<form id="Form1" method="post" runat="server">
<asp:Button id="Button1" runat="server" Text="Set
Session"></asp:Button>
<br/>
<br/>
<asp:Label id="Label1" Runat="server"></asp:Label>
</form>
</body>
</HTML>
public class _Default : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label Label1;
protected System.Web.UI.WebControls.Button Button1;
#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
InitializeComponent();
base.OnInit(e);
}
private void InitializeComponent()
{
this.Button1.Click += new System.EventHandler(this.Button1_Click);
}
#endregion
private void Button1_Click(object sender, System.EventArgs e)
{
FormsAuthentication.RedirectFromLoginPage("user", false);
}
}
2. Added a second form that does nothing:
<%@ Page language="c#" Codebehind="NeedsAuth.aspx.cs"
AutoEventWireup="false" Inherits="LoginTest.NeedsAuth" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>NeedsAuth</title>
</HEAD>
<body>
<form id="Form1" method="post" runat="server">
Hello!
</form>
</body>
</HTML>
public class NeedsAuth : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label LoginLabel;
private void Page_Load(object sender, System.EventArgs e)
{
}
#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
InitializeComponent();
base.OnInit(e);
}
private void InitializeComponent()
{
this.Load += new System.EventHandler(this.Page_Load);
}
#endregion
}
3. Changed my web.config file to the following:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation defaultLanguage="c#" debug="true"/>
<customErrors mode="RemoteOnly"/>
<authentication mode="Forms">
<forms name="TestAuth" loginUrl="Default.aspx" protection="All"
timeout="30" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true"/>
<sessionState mode="InProc" cookieless="false" timeout="40"/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
</configuration>
Now, if I load up IE by clicking on the IE icon in my desktop, then
type in http://localhost/test/NeedsAuth.aspx, it redirects me to
Default.aspx. I click on the button and it redirects me back to
NeedsAuth.aspx as it should. Now if I shut down IE, then load it up
again by clicking on the IE icon and go to
http://localhost/test/NeedsAuth.aspx it redirected me to Default.aspx
and I have to login again as expected.
Everything fine so far. However, if I try this via Windows explorer I
get different behaviour. If I double click on 'My Computer' and enter
http://localhost/test/NeedsAuth.aspx into the address bar, it
redirects me to Default.aspx. I click on the button and it redirects
me back to NeedsAuth.aspx as it should. Now if I close the window,
then double click on 'My Computer' and enter
http://localhost/test/NeedsAuth.aspx again, it does not redirect me to
Default.aspx and I am fully logged in.
Similar tests with Page.Session and no authentication indicate that it
also has the same behaviour.
I presume this is to do with the way Windows explorer runs IE. Get get
an IExplore process in task manager if I load IE via its icon, but I
do not if I enter the URL into My Computer.
This is obviously giving me a major security hole; a user could load
up my application, forget to log out properly, (Or have their browser
crash) then another user could come along and enter the URL and be
fully logged in.
I've tried lots of things to get around this, but cannot solve the
problem. Currently I'm considering using a <body unload=> JavaScript
method to post somewhere that does the FormsAuthentication.SignOut(),
but obviously this isn't great and wouldn't be any use if the browser
crash. I've tried searching in these forums and in various newsgroups
without any luck.
Hopefully its me being a muppet and I've missed something stupid. If
anyone can help I'd be really grateful!
Cheers,
Kev
Hoping someone can help me. I have noticed different behaviour between
a website launched from Windows explorer and Internet Explorer. I have
set up a simple test application to demonstrate this problem:
1. Create a new ASP.NET application in VS.NET at
http://localhost/test.
2. Added a default form, Default.aspx, that has a simple button that
does the FormsAuthentication stuff:
<%@ Page language="c#" Codebehind="Default.aspx.cs"
AutoEventWireup="false" Inherits="LoginTest._Default" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>Default</title>
</HEAD>
<body>
<form id="Form1" method="post" runat="server">
<asp:Button id="Button1" runat="server" Text="Set
Session"></asp:Button>
<br/>
<br/>
<asp:Label id="Label1" Runat="server"></asp:Label>
</form>
</body>
</HTML>
public class _Default : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label Label1;
protected System.Web.UI.WebControls.Button Button1;
#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
InitializeComponent();
base.OnInit(e);
}
private void InitializeComponent()
{
this.Button1.Click += new System.EventHandler(this.Button1_Click);
}
#endregion
private void Button1_Click(object sender, System.EventArgs e)
{
FormsAuthentication.RedirectFromLoginPage("user", false);
}
}
2. Added a second form that does nothing:
<%@ Page language="c#" Codebehind="NeedsAuth.aspx.cs"
AutoEventWireup="false" Inherits="LoginTest.NeedsAuth" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>NeedsAuth</title>
</HEAD>
<body>
<form id="Form1" method="post" runat="server">
Hello!
</form>
</body>
</HTML>
public class NeedsAuth : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label LoginLabel;
private void Page_Load(object sender, System.EventArgs e)
{
}
#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
InitializeComponent();
base.OnInit(e);
}
private void InitializeComponent()
{
this.Load += new System.EventHandler(this.Page_Load);
}
#endregion
}
3. Changed my web.config file to the following:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation defaultLanguage="c#" debug="true"/>
<customErrors mode="RemoteOnly"/>
<authentication mode="Forms">
<forms name="TestAuth" loginUrl="Default.aspx" protection="All"
timeout="30" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true"/>
<sessionState mode="InProc" cookieless="false" timeout="40"/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
</configuration>
Now, if I load up IE by clicking on the IE icon in my desktop, then
type in http://localhost/test/NeedsAuth.aspx, it redirects me to
Default.aspx. I click on the button and it redirects me back to
NeedsAuth.aspx as it should. Now if I shut down IE, then load it up
again by clicking on the IE icon and go to
http://localhost/test/NeedsAuth.aspx it redirected me to Default.aspx
and I have to login again as expected.
Everything fine so far. However, if I try this via Windows explorer I
get different behaviour. If I double click on 'My Computer' and enter
http://localhost/test/NeedsAuth.aspx into the address bar, it
redirects me to Default.aspx. I click on the button and it redirects
me back to NeedsAuth.aspx as it should. Now if I close the window,
then double click on 'My Computer' and enter
http://localhost/test/NeedsAuth.aspx again, it does not redirect me to
Default.aspx and I am fully logged in.
Similar tests with Page.Session and no authentication indicate that it
also has the same behaviour.
I presume this is to do with the way Windows explorer runs IE. Get get
an IExplore process in task manager if I load IE via its icon, but I
do not if I enter the URL into My Computer.
This is obviously giving me a major security hole; a user could load
up my application, forget to log out properly, (Or have their browser
crash) then another user could come along and enter the URL and be
fully logged in.
I've tried lots of things to get around this, but cannot solve the
problem. Currently I'm considering using a <body unload=> JavaScript
method to post somewhere that does the FormsAuthentication.SignOut(),
but obviously this isn't great and wouldn't be any use if the browser
crash. I've tried searching in these forums and in various newsgroups
without any luck.
Hopefully its me being a muppet and I've missed something stupid. If
anyone can help I'd be really grateful!
Cheers,
Kev